Re: Changing Cloud Controller Database (CC_DB) encryption key after the DB has been created?


Sandy Cash Jr <lhcash@...>
 

The key is used in a field encryptor - so if you change the key, you can no
longer decrypt encrypted fields in the database (at least, this is my gut
instinct about what you're seeing). My guess is that, if you change the
encryption key, you need a procedure which includes saving the old key long
enough to decrypt the fields, then re-encrypt them using the new key.
There are definite transaction boundaries you'd need to observe before
throwing away the previous key.

My $0.02,

-Sandy


--
Sandy Cash
Certified Senior IT Architect/Senior SW Engineer
IBM BlueMix
lhcash(a)us.ibm.com
(919) 543-0209

"I skate to where the puck is going to be, not to where it has been.” -
Wayne Gretzky



From: "Daniel van Dorp" <daniel(a)vandorp.biz>
To: cf-dev(a)lists.cloudfoundry.org
Date: 11/06/2015 10:19 AM
Subject: [cf-dev] Changing Cloud Controller Database (CC_DB) encryption
key after the DB has been created?



This is a follow-up of this Google Groups conversation:
https://groups.google.com/a/cloudfoundry.org/d/msg/vcap-dev/AnJm9aGe07Y/eB9qv689b2gJ


Basically, for a development installation setup via this:
https://github.com/cloudfoundry-community/cf-boshworkspace/blob/master/deployments/cf-aws-large.yml#L39


I want to change the secret over there to a random-generated value instead.

When I do this before using the installation (eg. creating spaces and
apps), all is well.

However, if I do this after using the installation, I get these errors:
FAILED
Error finding available spaces
Server error, status code: 500, error code: 10001, message: An unknown
error occurred.

Pretty much what was mentioned here:
https://groups.google.com/a/cloudfoundry.org/d/msg/vcap-dev/AnJm9aGe07Y/N25ejNpHWyYJ


On the conversation that I'm trying to follow-up here (
https://groups.google.com/a/cloudfoundry.org/d/msg/vcap-dev/AnJm9aGe07Y/N25ejNpHWyYJ
), it is stated:
"you can't change your DB encryption key in your manifest after the DB has
been created!"

That would mean, that after using an installation, you can never change
your secrets for the CC_DB again?
I find that hard to believe personally, since the secret can be changed
just fine at a lot, if not all, other places within CF.
There should be a workaround/manual fix/procedure for this kind of change
to the CC_DB, I think?

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.